[Honeypot Alert] Mass Joomla Component LFI Attacks Identified

Joomla Component LFI Vulnerabilities

Joomla has hundreds of Controller components. Check out the Joomla Extension site for examples. Unfortunately, the vast majority of these components have LFI vulnerabilities. The vulnerability details are pretty much the same -

The vulnerable page is "index.php".

The "option" parameter is set to "com_xxxxxx" where xxxx is the vulnerable component name.

Input passed via the "controller" parameter is not properly verified before being used to include files.

By appending URL-encoded NULL bytes, an attacker can specify any arbitrary local file.

Honeypot Attack Probes Identified

Our daily honeypot analysis has identified a mass scanning campaign aimed at various Joomla Component Local File Inclusion (LFI) Vulnerabilities. Here are a few example attacks taken from today's honeypot logs:

Notice that various components are targeted in the "option" parameter and that the a directory traversal attack is used in the "controller" parameter. The LFI data is attempting to enumerate the OS shell environment data.

Attack Statistics

Number of attacks seen: 1538

Number of unique attack sources: 45

Top 25 Joomla Component LFI Attacker Sources

# of Attacks

IP Address

Country Code

Country Name

Region

Region Name

City

491

180.235.131.131

AU

Australia

95

210.173.154.35

JP

Japan

86

74.50.25.165

US

United States

CA

California

Anaheim

80

91.121.87.48

FR

France

67

69.27.109.40

CA

Canada

SK

Saskatchewan

Saskatoon

58

46.105.98.146

FR

France

58

180.151.1.68

IN

India

07

Delhi

New Delhi

51

67.23.229.237

US

United States

NY

New York

New York

42

64.92.125.26

US

United States

CO

Colorado

Denver

42

182.255.0.200

ID

Indonesia

39

82.192.87.86

NL

Netherlands

07

Noord-Holland

Amsterdam

38

174.122.220.10

US

United States

TX

Texas

Houston

37

178.162.231.59

CA

Canada

36

72.47.211.229

US

United States

CA

California

Culver City

33

122.201.80.95

AU

Australia

02

New South Wales

Sydney

32

174.37.16.78

US

United States

TX

Texas

Dallas

31

64.13.224.234

US

United States

CA

California

Culver City

27

109.75.169.20

GB

United Kingdom

25

65.98.23.170

US

United States

CA

California

San Francisco

25

46.20.45.50

DE

Germany

24

193.106.93.131

RU

Russian Federation

16

85.36.63.35

IT

Italy

11

71.17.4.161

CA

Canada

SK

Saskatchewan

Lloydminster

10

50.73.66.4

US

United States

9

173.245.78.42

US

United States

CA

California

Fremont

8

92.60.124.128

ES

Spain

Joomla Components Targeted

Here is a listing of the various Joomla components that were targeted in today's attacks: